Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I'm writing a wireless authenticator that uses iptables to redirect to a login page, then execute more iptables commands to allow the user access once their credentials are verified.

I want the users to be able to use Internet services and connect to each other over SSH and FTP but not things like NetBIOS, SMTP or Rendezvous. I've devised a way to capture this in essentially a single rule.

Insert into the prerouting chain of the nat table : if a TCP packet comes in on wlan0 from IP 10.0.0.11 and MAC address 00:30:65:21:a9:ff and is not trying to access special ports on the WLAN accept it (otherwise let it get DNATed further down the chain).

This rule is inserted at position index of the PREROUTING chain (rather than filter table's FORWARD chain) because that's where an unauthenticated client will be DNATed to the authentication system.

Can I do this more simply with 'match multiport' and substitute `-o wlan0` for the iprange? I still want to make sure that clients can access those services if they're on the Internet (for example SMTP might be nice ) because some people do use AFP over TCP/IP.

I have identical rules for TCP and for UDP because multiport requires a tcp/udp specification.